As organizations become more dependent on cloud technologies with complex security challenges, it is crucial for businesses to prioritize cybersecurity at the highest levels of decision-making. That means having security expertise at the corporate board level.
There are numerous articles out there which discuss this issue. Here is a small sample:
- Harvard Business Review: Boards are Having the Wrong Conversations about Cybersecurity
- CNBC: Cybersecurity Experts Have Become Targets for Board Seats
- Mimecast Blog: Boards of Directors Rising to Cybersecurity Challenge
Many companies have elevated their CISO (or CIO) to report to the board. This can provide the board with regular insight into the security posture of the company. While the CISO and board both share a governance responsibility, that governance differs in some important ways.
Some of the challenges of having a CISO report to the board include:
- Communication barriers. Board members seldom possess security expertise. They are unlikely to engage the CISO in a meaningful conversation about vulnerabilities, risk management, or compliance. This communication gap makes it difficult for the board to effectively hold the management team accountable. It also makes it difficult for the CISO to effectively inform the board on complex security issues.
- Divergent focus. Boards are strategically focused while CISOs must remain operationally focused. This creates a natural divergence between these two groups, which can further exacerbate miscommunications, misunderstandings, and missed opportunities.
- Reputation bias. Employees of the company, such as the CISO have a vested interest in protecting their reputation. They will overemphasize their accomplishments while downplaying their failures. Do you really think a CISO will come to a board meeting and report that security is a mess and he is failing to do his job? Probably not.
- Lack of context. Security is dynamic and volatile. To build an effective strategy, a board must look beyond the company into broader industry and threat landscape trends. A CISO working at a single company will struggle to bring such perspective to the board.
- Stress. Increasingly, boards are making demands of CISOs they are unable to fulfill. This is causing a dramatic rise in CISOs resigning to find less stressful environments.
The answer to these and other challenges is to appoint an independent cybersecurity expert to the board as an observer. This person can serve as a liaison between the CISO and the board.
In this blog, I will address some of the ways an independent security board advisor can help.
1. A Strategic Approach to Cybersecurity
Cybersecurity cuts across multiple dimensions of a company. It is a both a technical operational challenge as well as a strategic issue as well.
Including a cybersecurity expert on the board ensures security concepts are integrated into the strategic planning process. When an executive is championing a new product or feature, the board advisor can weigh in on the potential security implications.
For example, right now many startup CEOs are fascinated with AI. They all saw the meteoric rise of ChatGPT and want to get a piece of the action. The problem is that AI opens the door to numerous security challenges. Any strategic plan must address issues such as data governance, sanitization, and provenance. Without a clear understanding of these security implications, the board may greenlight a project while also greenlighting a massive data breech.
A security expert on the board can provide context for these issues. Mostly, they can ask the executive team tough questions about these plans and hold them accountable. This is a good segue to the next item on this list.
2. Accountability and Independence
Company boards are responsible for overseeing governance of the entire company, not merely sales or finance. This means oversight of cybersecurity, risk management, and compliance as well. Unfortunately, board members (such as investors) are seldom skilled at these concepts. As such, they are highly susceptible to being misled into complacency.
Independent advisors can ask tough questions that a CISO or CIO may be reluctant to ask. Moreover, an advisor is more likely to point out flimsy excuses. In my experience, when technical people are struggling to deliver results, they routinely resort to avoiding scrutiny or blaming others for their problems. An independent advisor can identify these and hold the team accountable.
Independent advisors have greater freedom to uncover truth, thereby allowing the board to hold them accountable.
3. Wading Through Compliance
If you have ever spent time doing security compliance work, then you know how profoundly difficult it can be. Compliance is an impediment to progress. It is expensive, time consuming, and fraught with misinformation. It is also absolutely necessary. Failing to meet regulatory requirements can severely restrict a company’s opportunities as well as expose them to fines.
Most boards wave off compliance as an irritant. They task the CISO with the job without an appreciation for how difficult that job can be. Moreover, the pedantic nuances of compliance create an impenetrable communication barrier, which both employees and auditors can exploit to avoid accountability.
An independent advisor breaks down these barriers. They can interact directly with auditors and employees to ensure compliance initiatives remain on track and do not squander company resources.
4. Strengthened Incident Response
When a serious security incident happens, the entire organization as well as partners, vendors, and customers will be looking to the executive team for leadership. Invariably, those parties are going to want to know the board’s involvement.
A security advisor to the board can play a crucial role before, during and after an incident. Before an incident, the advisor can ensure resilience planning and automation are being integrated into every business function. During an incident, the advisor can liaison with executives, authorities, and the public to present a united front among the leadership team and the board. After an incident, an advisor can facilitate a “blameless postmortem” process to ensure the company does not repeat the errors or oversights of the past.
Lastly, advisors can provide valuable contextual guidance with emerging resilience technologies. For example, one such solution is Moving Target Defense (MTD), which can dramatically improve operational resilience to attack. However, MTD is still a nascent technology. An advisor can provide the board and executives with valuable insights from other companies on the capabilities of these new technologies.
5. Building Trust
After years of leading a security company, I discovered a simple truth about security sales: credibility creates trust. If you want to build trust with security practitioners, you must demonstrate you understand their profession. A nerdy conversation about PKI or Palo Alto Networks reassures a practitioner you understand them. When people trust you, they tell you the truth. Such as how vulnerable the company is to attack.
A board member who calls the CISO to discuss security will only spark panic. Both their position on the board and their lack of experience fosters a credibility gap with the CISO. This leads to clumsy conversations that fail to uncover the truth.
Independent advisors with a background in security can credibly interact with the organization’s technical team. They can gather useful insights and report these back to the board. When organizations deal in truth and trust, they can address problems more effectively and accelerate strategic plans.
What to Look for In an Advisor
If you are ready to appoint an advisor to the board, there are five key skills you should seek.
- Executive Experience. The person must have experience as a c-level executive in the past. Preferably as a CISO, CIO, or even a CEO.
- Hands-on Security Knowledge. The advisor must possess operational security expertise. They must be able to engage technical people in credible conversations based on their experiences.
- Listener. The ideal advisor listens first and then provides meaningful, relevant feedback. Do not hire a pontificator who masks their insecurities and inexperience with bravado and blather.
- Communicator. The advisor must be comfortable and articulate in front of an audience, especially investors.
- Network. Good advisors have a network of fellow security professionals whom they can turn to for insights that fall outside their expertise. Moreover, they can call upon that network for recommendations for vendors or auditors.
There are numerous benefits to appointing a security advisor as a board observer. Moreover, there are ample professionals who can fill this role.
Obviously, Zenaciti offers these services, so we are biased to the value of such advisors. However, I have watched numerous startups flounder as they ignore the security landscape, sinking deeper and deeper into delusions of “we got that covered.” Do not allow your company to be run on the whims of hand-waving and hope. Put a security expert on your board and run the company based on truth and trust.